/// <summary>
/// Resolves the permissions.
/// </summary>
/// <param name="scope">The scope.</param>
/// <param name="recordSet">The record set.</param>
/// <param name="sids">The sids.</param>
/// <returns></returns>
private static PermissionRecord ResolvePermissions(string scope, PermissionRecordSet recordSet, string[] sids)
{
//string[] roles = ProfileContext.Current.GetRolesForUser();
PermissionRecord returnPR = new PermissionRecord();
PermissionRecord pr = null;
if (sids != null)
{
foreach (string sid in sids)
{
pr = recordSet[PermissionHelper.CreatePermissionKey(scope, sid)];
if (pr != null)
{
returnPR.Merge(pr);
}
}
}
return(returnPR);
}
/// <summary>
/// Checks the anonymous.
/// </summary>
/// <param name="scope">The scope.</param>
/// <param name="permission">The permission.</param>
/// <param name="recordSet">The record set.</param>
/// <returns></returns>
private static bool CheckAnonymous(string scope, Permission permission, PermissionRecordSet recordSet)
{
return(true);
}
/// <summary>
/// Checks permissions in the following order:
/// 1. Check permissions for the organization active user belongs to.
/// 2. Check permissions for the role user belongs to.
/// 3. Check permissions for the user himself.
///
/// The later check overrides the previous one if permission is explicitely defined.
/// </summary>
/// <param name="scope"></param>
/// <param name="permission"></param>
/// <param name="recordSet"></param>
/// <returns></returns>
public static bool CheckPermission(string scope, Permission permission, PermissionRecordSet recordSet)
{
bool allow = true;
PermissionRecord permissionRecord = null;
// Administrator has unlimited access rights
if (Roles.IsUserInRole("Administrator"))
{
return(true);
}
//return true; // for development return true always
// Step 1: check organization
CustomerProfile profile = ProfileContext.Current.Profile;
if (profile != null)
{
// check if user is anonymous, if so just check roles
if (profile.IsAnonymous)
{
return(CheckAnonymous(scope, permission, recordSet));
//string[] roles = ProfileContext.Current.GetRolesForUser();
}
Account account = profile.Account;
if (account == null) // if no account exists, continue to check as if user is anonymous
{
return(CheckAnonymous(scope, permission, recordSet));
}
permissionRecord = ResolvePermissions(scope, recordSet, new string[1] {
account.Organization.PrincipalId.ToString()
});
if (permissionRecord != null)
{
allow = permissionRecord.GetBit(permission);
}
}
// Step 2: check roles
string[] roles = ProfileContext.Current.GetRolesForUser();
if (roles != null)
{
permissionRecord = ResolvePermissions(scope, recordSet, roles);
if (permissionRecord != null)
{
allow = permissionRecord.GetBit(permission);
}
}
// Step 3: check user
permissionRecord = ResolvePermissions(scope, recordSet, new string[1] {
ProfileContext.Current.UserId.ToString()
});
if (permissionRecord != null)
{
allow = permissionRecord.GetBit(permission);
}
//ProfileContext.Current.GetAccount()
return(allow);
}
